European Union

A data broker is selling my personal information. How do I stop this?

72 hours
Response deadline
Free request
No fee required
Right to object
GDPR Art. 21
Right to erasur
GDPR Art. 17
The Short Answer

You have the right to object to the sale of your personal data under the GDPR, and can demand erasure or restriction of processing from any data broker handling your information.

What the Law Says

The General Data Protection Regulation (GDPR) gives you strong rights to control how your personal data is collected, used, and shared — including by data brokers.

Under the GDPR, data brokers are considered 'controllers' if they determine the purposes and means of processing your personal data — meaning they must comply fully with your rights.

You have the right to object at any time to processing of your personal data for direct marketing (including profiling), and the controller must stop immediately — no justification needed.

You also have the right to erasure ('right to be forgotten') when your data is processed solely for direct marketing, or when it's no longer necessary for the purposes for which it was collected.

Controllers must respond to your request without undue delay — and in any case within one month. That deadline can be extended by two further months where necessary, but you must be informed within one month of receipt of the request.

Statutory Text

The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her... for direct marketing purposes.

Regulation (EU) 2016/679, Art. 21(2) — Right to object
Statutory Text

The controller shall erase personal data without undue delay and… shall take reasonable steps… to inform controllers which are processing the personal data that the data subject has requested the erasure…

Regulation (EU) 2016/679, Art. 17(2) — Right to erasure

What to Do

1

Identify the data broker: Use tools like Have I Been Pwned or the EU’s Your Online Choices portal to find who holds or sells your data.

2

Submit a clear written objection or erasure request via email or web form — include your name, contact details, and description of the data (e.g., 'my email address and phone number sold for marketing').

3

Cite GDPR Articles 17 and 21 explicitly and state you expect action within one month.

4

If ignored or refused, file a complaint with your national Data Protection Authority (e.g., CNIL in France, ICO in UK pre-Brexit, or the Irish DPC for many EU-based platforms).

Sources

statuteRegulation (EU) 2016/679, Art. 17 — Right to erasure ('right to be forgotten')statuteRegulation (EU) 2016/679, Art. 21 — Right to object

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.